Implement regexp support for cookies encryption

It's now possible to encrypt cookies matching a specific regexp.

This should close #106 

22 files changed, 304 insertions, 65 deletions

diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c
index ae1a864..afbd725 100644
--- a/src/snuffleupagus.c
+++ b/src/snuffleupagus.c
@@ -78,7 +78,7 @@ PHP_GINIT_FUNCTION(snuffleupagus) {
   snuffleupagus_globals->config.config_disabled_constructs->construct_eval = sp_list_new();
   snuffleupagus_globals->config.config_disabled_functions->disabled_functions = sp_list_new();
   snuffleupagus_globals->config.config_disabled_functions_ret->disabled_functions = sp_list_new();
-  SP_INIT_HT(snuffleupagus_globals->config.config_cookie->cookies);
+  snuffleupagus_globals->config.config_cookie->cookies = sp_list_new();
 
 #undef SP_INIT
 #undef SP_INIT_HT
@@ -96,7 +96,6 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
   pefree(SNUFFLEUPAGUS_G(F), 1);
 
   FREE_HT(disabled_functions_hook);
-  FREE_HT(config.config_cookie->cookies);
 
 #undef FREE_HT
 
@@ -109,19 +108,20 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
   pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1);
   pefree(SNUFFLEUPAGUS_G(config.config_upload_validation), 1);
 
-#define FREE_LST(L) \
+#define FREE_LST_DISABLE(L) \
   do { \
     sp_list_node* _n = SNUFFLEUPAGUS_G(L); \
     sp_disabled_function_list_free(_n); \
     sp_list_free(_n); \
   } while(0)
 
-  FREE_LST(config.config_disabled_functions->disabled_functions);
-  FREE_LST(config.config_disabled_functions_ret->disabled_functions);
-  FREE_LST(config.config_disabled_constructs->construct_include);
-  FREE_LST(config.config_disabled_constructs->construct_eval);
+  FREE_LST_DISABLE(config.config_disabled_functions->disabled_functions);
+  FREE_LST_DISABLE(config.config_disabled_functions_ret->disabled_functions);
+  FREE_LST_DISABLE(config.config_disabled_constructs->construct_include);
+  FREE_LST_DISABLE(config.config_disabled_constructs->construct_eval);
+  sp_list_free(SNUFFLEUPAGUS_G(config).config_cookie->cookies);
 
-#undef FREE_LST
+#undef FREE_LST_DISABLE
 
   pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions), 1);
   pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions_ret), 1);
diff --git a/src/sp_config.c b/src/sp_config.c
index 1877859..f1c7b65 100644
--- a/src/sp_config.c
+++ b/src/sp_config.c
@@ -186,13 +186,13 @@ int sp_parse_config(const char *conf_file) {
 void sp_disabled_function_list_free(sp_list_node* list) {
   sp_list_node* cursor = list;
   while(cursor) {
-      sp_disabled_function* df = cursor->data;
-      if (df && df->functions_list)
-          sp_list_free(df->functions_list);
-      if (df) {
-        sp_tree_free(df->param);
-        sp_tree_free(df->var);
-      }
-      cursor = cursor->next;
+    sp_disabled_function* df = cursor->data;
+    if (df && df->functions_list)
+      sp_list_free(df->functions_list);
+    if (df) {
+      sp_tree_free(df->param);
+      sp_tree_free(df->var);
+    }
+    cursor = cursor->next;
   }
 }
diff --git a/src/sp_config.h b/src/sp_config.h
index 3a7a79c..aca9ff6 100644
--- a/src/sp_config.h
+++ b/src/sp_config.h
@@ -58,7 +58,9 @@ typedef struct { bool enable; } sp_config_disable_xxe;
 typedef struct {
   enum samesite_type {strict=1, lax=2} samesite;
   bool encrypt;
-        bool simulation;
+  char *name;
+  pcre *name_r;
+  bool simulation;
 } sp_cookie;
 
 typedef struct {
@@ -114,7 +116,7 @@ typedef struct {
 } sp_config_disabled_functions;
 
 typedef struct {
-  HashTable *cookies;  // HashTable of sp_cookie
+  sp_list_node *cookies; //list of sp_cookie for regexp/names
 } sp_config_cookie;
 
 typedef struct {
@@ -204,6 +206,7 @@ typedef struct {
 
 // cookies encryption
 #define SP_TOKEN_NAME ".name("
+#define SP_TOKEN_NAME_REGEXP ".name_r("
 
 // cookies samesite
 #define SP_TOKEN_SAMESITE ".samesite("
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index 32363b8..f4ff249 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -104,16 +104,15 @@ int parse_global(char *line) {
 
 int parse_cookie(char *line) {
   int ret = 0;
-  char *samesite = NULL, *name = NULL;
+  char *samesite = NULL;
   sp_cookie *cookie = pecalloc(sizeof(sp_cookie), 1, 1);
-  zend_string *zend_name;
 
   sp_config_functions sp_config_funcs_cookie_encryption[] = {
-      {parse_str, SP_TOKEN_NAME, &name},
-      {parse_str, SP_TOKEN_SAMESITE, &samesite},
-      {parse_empty, SP_TOKEN_SIMULATION, &cookie->simulation},
-      {parse_empty, SP_TOKEN_ENCRYPT, &cookie->encrypt},
-      {0}};
+    {parse_str, SP_TOKEN_NAME, &(cookie->name)},
+    {parse_regexp, SP_TOKEN_NAME_REGEXP, &(cookie->name_r)},
+    {parse_str, SP_TOKEN_SAMESITE, &samesite},
+    {parse_empty, SP_TOKEN_ENCRYPT, &cookie->encrypt},
+    {0}};
 
   ret = parse_keywords(sp_config_funcs_cookie_encryption, line);
   if (0 != ret) {
@@ -122,21 +121,18 @@ int parse_cookie(char *line) {
 
   if (cookie->encrypt) {
     if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->cookies_env_var)) {
-      sp_log_err(
-          "config",
-          "You're trying to use the cookie encryption feature"
-          "on line %zu without having set the `.cookie_env_var` option in"
-          "`sp.global`: please set it first.",
+      sp_log_err("config",
+                 "You're trying to use the cookie encryption feature"
+                 "on line %zu without having set the `.cookie_env_var` option in"
+                 "`sp.global`: please set it first.",
           sp_line_no);
       return -1;
-    } else if (0 ==
-               (SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key)) {
-      sp_log_err(
-          "config",
-          "You're trying to use the cookie encryption feature"
-          "on line %zu without having set the `.encryption_key` option in"
-          "`sp.global`: please set it first.",
-          sp_line_no);
+    } else if (0 == (SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key)) {
+      sp_log_err("config",
+                 "You're trying to use the cookie encryption feature"
+                 "on line %zu without having set the `.encryption_key` option in"
+                 "`sp.global`: please set it first.",
+                 sp_line_no);
       return -1;
     }
   } else if (!samesite) {
@@ -146,9 +142,16 @@ int parse_cookie(char *line) {
                sp_line_no);
     return -1;
   }
-  if (0 == strlen(name)) {
+  if ((!cookie->name || '\0' == cookie->name[0]) && !cookie->name_r) {
+    sp_log_err("config",
+               "You must specify a cookie name/regexp on line "
+               "%zu.",
+               sp_line_no);
+    return -1;
+  }
+  if (cookie->name && cookie->name_r) {
     sp_log_err("config",
-               "You must specify a cookie name on line "
+               "name and name_r are mutually exclusive on line "
                "%zu.",
                sp_line_no);
     return -1;
@@ -159,20 +162,16 @@ int parse_cookie(char *line) {
     } else if (0 == strcasecmp(samesite, SP_TOKEN_SAMESITE_STRICT)) {
       cookie->samesite = strict;
     } else {
-      sp_log_err(
-          "config",
-          "%s is an invalid value to samesite (expected %s or %s) on line "
-          "%zu.",
-          samesite, SP_TOKEN_SAMESITE_LAX, SP_TOKEN_SAMESITE_STRICT,
-          sp_line_no);
+      sp_log_err("config",
+                 "%s is an invalid value to samesite (expected %s or %s) on line "
+                 "%zu.",
+                 samesite, SP_TOKEN_SAMESITE_LAX, SP_TOKEN_SAMESITE_STRICT,
+                 sp_line_no);
       return -1;
     }
   }
-
-  zend_name = zend_string_init(name, strlen(name), 1);
-  zend_hash_add_ptr(SNUFFLEUPAGUS_G(config).config_cookie->cookies, zend_name,
-                    cookie);
-
+  sp_list_insert(SNUFFLEUPAGUS_G(config).config_cookie->cookies,
+                 cookie);
   return SUCCESS;
 }
 
diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c
index 04c864f..4e9818f 100644
--- a/src/sp_cookie_encryption.c
+++ b/src/sp_cookie_encryption.c
@@ -39,21 +39,34 @@ static inline void generate_key(unsigned char *key) {
   PHP_SHA256Final((unsigned char *)key, &ctx);
 }
 
+static inline const sp_cookie *sp_lookup_cookie_config(const char *key) {
+  sp_list_node *it = SNUFFLEUPAGUS_G(config).config_cookie->cookies;
+  
+  while (it) {
+  const sp_cookie *config = it->data;
+    if (config && sp_match_value(key, config->name, config->name_r)) {
+      return config;
+    }
+    it = it->next;
+  }
+  return NULL;
+}
+
+/* called at RINIT time with each cookie, eventually decrypt said cookie */
 int decrypt_cookie(zval *pDest, int num_args, va_list args,
                    zend_hash_key *hash_key) {
   unsigned char key[crypto_secretbox_KEYBYTES] = {0};
   zend_string *debase64;
   unsigned char *decrypted;
-  sp_cookie *cookie = zend_hash_find_ptr(SNUFFLEUPAGUS_G(config).config_cookie->cookies,
-                                         hash_key->key);
+  const sp_cookie *cookie = sp_lookup_cookie_config(ZSTR_VAL(hash_key->key));
   int ret = 0;
-
+  
   /* If the cookie isn't in the conf, it shouldn't be encrypted. */
   if (!cookie || !cookie->encrypt) {
     return ZEND_HASH_APPLY_KEEP;
   }
 
-        /* If the cookie has no value, it shouldn't be encrypted. */
+  /* If the cookie has no value, it shouldn't be encrypted. */
   if (0 == Z_STRLEN_P(pDest)) {
     return ZEND_HASH_APPLY_KEEP;
   }
@@ -107,10 +120,10 @@ int decrypt_cookie(zval *pDest, int num_args, va_list args,
   return ZEND_HASH_APPLY_KEEP;
 }
 
-/**
-  This function will return the `data` of length `data_len` encrypted in the
-  form `base64(nonce | encrypted_data)` (with `|` being the concatenation
-  operation).
+/*
+** This function will return the `data` of length `data_len` encrypted in the
+** form `base64(nonce | encrypted_data)` (with `|` being the concatenation
+** operation).
 */
 static zend_string *encrypt_data(char *data, unsigned long long data_len) {
   const size_t encrypted_msg_len = crypto_secretbox_ZEROBYTES + data_len + 1;
@@ -182,9 +195,9 @@ PHP_FUNCTION(sp_setcookie) {
     }
   }
 
-  cookie_node =
-    zend_hash_find_ptr(SNUFFLEUPAGUS_G(config).config_cookie->cookies, name);
-
+  /* lookup existing configuration for said cookie */
+  cookie_node = sp_lookup_cookie_config(ZSTR_VAL(name));
+  
   /* If the cookie's value is encrypted, it won't be usable by
    * javascript anyway.
    */
diff --git a/src/tests/broken_conf_no_cookie_name.phpt b/src/tests/broken_conf_no_cookie_name.phpt
index 4616f12..10fde3e 100644
--- a/src/tests/broken_conf_no_cookie_name.phpt
+++ b/src/tests/broken_conf_no_cookie_name.phpt
@@ -6,4 +6,4 @@ Borken configuration - encrypted cookie with no name
 sp.configuration_file={PWD}/config/config_encrypted_cookies_noname.ini
 --FILE--
 --EXPECT--
-[snuffleupagus][0.0.0.0][config][error] You must specify a cookie name on line 2.
+[snuffleupagus][0.0.0.0][config][error] You must specify a cookie name/regexp on line 2.
diff --git a/src/tests/config/config_encrypted_regexp_cookies.ini b/src/tests/config/config_encrypted_regexp_cookies.ini
new file mode 100644
index 0000000..8ea77f7
--- /dev/null
+++ b/src/tests/config/config_encrypted_regexp_cookies.ini
@@ -0,0 +1,3 @@
+sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.cookie.name_r("^super_co[a-z]+$").encrypt();
+sp.auto_cookie_secure.enable();
diff --git a/src/tests/config/config_encrypted_regexp_cookies_empty_env.ini b/src/tests/config/config_encrypted_regexp_cookies_empty_env.ini
new file mode 100644
index 0000000..da84df7
--- /dev/null
+++ b/src/tests/config/config_encrypted_regexp_cookies_empty_env.ini
@@ -0,0 +1,2 @@
+sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.cookie.name_r("^super_coo[a-z]+$").encrypt();
diff --git a/src/tests/config/encrypt_regexp_cookies_no_env.ini b/src/tests/config/encrypt_regexp_cookies_no_env.ini
new file mode 100644
index 0000000..0e1fa30
--- /dev/null
+++ b/src/tests/config/encrypt_regexp_cookies_no_env.ini
@@ -0,0 +1,2 @@
+sp.global.secret_key("abcdef");
+sp.cookie.name_r("^super_co[a-z]+$").encrypt();
diff --git a/src/tests/config/encrypt_regexp_cookies_no_key.ini b/src/tests/config/encrypt_regexp_cookies_no_key.ini
new file mode 100644
index 0000000..52427f4
--- /dev/null
+++ b/src/tests/config/encrypt_regexp_cookies_no_key.ini
@@ -0,0 +1,2 @@
+sp.global.cookie_env_var("TEST");
+sp.cookie.name_r("^super_co[a-z]+$").encrypt();
diff --git a/src/tests/encrypt_cookies2.phpt b/src/tests/encrypt_cookies2.phpt
index be4c990..195cb24 100644
--- a/src/tests/encrypt_cookies2.phpt
+++ b/src/tests/encrypt_cookies2.phpt
@@ -3,7 +3,7 @@ Cookie encryption in ipv4
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
 --INI--
-sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
 --COOKIE--
 --ENV--
 return <<<EOF
diff --git a/src/tests/encrypt_cookies3.phpt b/src/tests/encrypt_cookies3.phpt
index b4acbc0..ceb364c 100644
--- a/src/tests/encrypt_cookies3.phpt
+++ b/src/tests/encrypt_cookies3.phpt
@@ -3,7 +3,7 @@ Cookie decryption with ipv6
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
 --INI--
-sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
 --COOKIE--
 super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM84SCotZTpP6b27Lr5lavORPMvqaKpcUahvxw=;awful_cookie=awful_cookie_value;
 --ENV--
diff --git a/src/tests/encrypt_regexp_cookies.phpt b/src/tests/encrypt_regexp_cookies.phpt
new file mode 100644
index 0000000..6bc187a
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Cookie decryption in ipv4
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
+--COOKIE--
+super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(2) {
+  ["super_cookie"]=>
+  string(11) "super_value"
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_regexp_cookies2.phpt b/src/tests/encrypt_regexp_cookies2.phpt
new file mode 100644
index 0000000..195cb24
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies2.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption in ipv4
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+setcookie("super_cookie", "super_value");
+setcookie("awful_cookie", "awful_value");
+setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true);
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(0) {
+}
diff --git a/src/tests/encrypt_regexp_cookies3.phpt b/src/tests/encrypt_regexp_cookies3.phpt
new file mode 100644
index 0000000..ceb364c
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies3.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie decryption with ipv6
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
+--COOKIE--
+super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM84SCotZTpP6b27Lr5lavORPMvqaKpcUahvxw=;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(2) {
+  ["super_cookie"]=>
+  string(11) "super_value"
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_regexp_cookies4.phpt b/src/tests/encrypt_regexp_cookies4.phpt
new file mode 100644
index 0000000..14d737a
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies4.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption in ipv6
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+setcookie("super_cookie", "super_value");
+setcookie("awful_cookie", "awful_value");
+setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true);
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(0) {
+}
diff --git a/src/tests/encrypt_regexp_cookies_empty_env.phpt b/src/tests/encrypt_regexp_cookies_empty_env.phpt
new file mode 100644
index 0000000..1ee6160
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies_empty_env.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Cookie encryption - empty environment variable specified
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies_empty_env.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=1337;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+NOT_REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php echo "1\n\n\n\n\n"; ?>
+--EXPECT--
+1
diff --git a/src/tests/encrypt_regexp_cookies_invalid_decryption.phpt b/src/tests/encrypt_regexp_cookies_invalid_decryption.phpt
new file mode 100644
index 0000000..22bed26
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies_invalid_decryption.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=jWjORGsgZyqzk3WA63XZBmUoSknXWnXDfAAAAAAAAAAAAAAAAAAAAAA7LiMDfkpP94jDnMVH%2Fm41GeL0Y00q3mbOFYz%2FS9mQGySu;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+
+array(1) {
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_regexp_cookies_invalid_decryption2.phpt b/src/tests/encrypt_regexp_cookies_invalid_decryption2.phpt
new file mode 100644
index 0000000..1a740c0
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies_invalid_decryption2.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=1337;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+
+array(1) {
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_regexp_cookies_invalid_decryption3.phpt b/src/tests/encrypt_regexp_cookies_invalid_decryption3.phpt
new file mode 100644
index 0000000..28ffaad
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies_invalid_decryption3.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Cookie encryption
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
+--COOKIE--
+super_cookie=;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php var_dump($_COOKIE); ?>
+--EXPECT--
+array(2) {
+  ["super_cookie"]=>
+  string(0) ""
+  ["awful_cookie"]=>
+  string(18) "awful_cookie_value"
+}
diff --git a/src/tests/encrypt_regexp_cookies_no_env.phpt b/src/tests/encrypt_regexp_cookies_no_env.phpt
new file mode 100644
index 0000000..37b95c1
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies_no_env.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Cookie encryption - no environment variable specified
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/encrypt_regexp_cookies_no_env.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=1337;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php echo "1\n\n\n\n\n"; ?>
+--EXPECT--
+1
diff --git a/src/tests/encrypt_regexp_cookies_no_key.phpt b/src/tests/encrypt_regexp_cookies_no_key.phpt
new file mode 100644
index 0000000..12512ce
--- /dev/null
+++ b/src/tests/encrypt_regexp_cookies_no_key.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Cookie encryption - no encryption key specified
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/encrypt_regexp_cookies_no_key.ini
+display_errors=1
+display_startup_errors=1
+error_reporting=E_ALL
+--COOKIE--
+super_cookie=1337;awful_cookie=awful_cookie_value;
+--ENV--
+return <<<EOF
+REMOTE_ADDR=127.0.0.1
+EOF;
+--FILE--
+<?php echo "1\n\n\n\n\n"; ?>
+--EXPECT--
+1